diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/maptoguest.xml')
| -rw-r--r-- | docs-xml/smbdotconf/security/maptoguest.xml | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml new file mode 100644 index 0000000..c98086a --- /dev/null +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -0,0 +1,62 @@ +<samba:parameter name="map to guest" + type="enum" + context="G" + enumlist="enum_map_to_guest" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter can take four different values, which tell + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> what to do with user + login requests that don't match a valid UNIX user in some way.</para> + + <para>The four settings are :</para> + + <itemizedlist> + <listitem> + <para><constant>Never</constant> - Means user login + requests with an invalid password are rejected. This is the + default.</para> + </listitem> + + <listitem> + <para><constant>Bad User</constant> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <smbconfoption name="guest account"/>.</para> + </listitem> + + <listitem> + <para><constant>Bad Password</constant> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <smbconfoption name="guest account"/>. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to + guest</parameter> parameter this way :-).</para> + </listitem> + <listitem> + <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface.</para> + </listitem> + </itemizedlist> + + <para>Note that this parameter is needed to set up "Guest" + share services. This is because in these modes the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. </para> +</description> + +<value type="default">Never</value> +<value type="example">Bad User</value> +</samba:parameter> |